### Abstract

Our main result is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem. This learning problem is a natural extension of the learning from parity with error problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for GapSVP and SIVP. A main open question is whether this reduction can be made classical (i.e., nonquantum). We also present a (classical) public-key cryptosystem whose security is based on the hardness of the learning problem. By the main result, its security is also based on the worst-case quantum hardness of GapSVP and SIVP. The new cryptosystem is much more efficient than previous lattice-based cryptosystems: the public key is of size (n
^{2}) and encrypting a message increases its size by a factor of (n) (in previous cryptosystems these values are (n
^{4}) and (n
^{2}), respectively). In fact, under the assumption that all parties share a random bit string of length (n
^{2}), the size of the public key can be reduced to (n).

Original language | English (US) |
---|---|

Article number | 1568324 |

Journal | Journal of the ACM |

Volume | 56 |

Issue number | 6 |

DOIs | |

State | Published - Sep 1 2009 |

### Fingerprint

### Keywords

- Average-case hardness
- Cryptography
- Lattice
- Public key encryption
- Quantum computation

### ASJC Scopus subject areas

- Hardware and Architecture
- Software
- Artificial Intelligence
- Information Systems
- Control and Systems Engineering

### Cite this

**On lattices, learning with errors, random linear codes, and cryptography.** / Regev, Oded.

Research output: Contribution to journal › Article

*Journal of the ACM*, vol. 56, no. 6, 1568324. https://doi.org/10.1145/1568318.1568324

}

TY - JOUR

T1 - On lattices, learning with errors, random linear codes, and cryptography

AU - Regev, Oded

PY - 2009/9/1

Y1 - 2009/9/1

N2 - Our main result is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem. This learning problem is a natural extension of the learning from parity with error problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for GapSVP and SIVP. A main open question is whether this reduction can be made classical (i.e., nonquantum). We also present a (classical) public-key cryptosystem whose security is based on the hardness of the learning problem. By the main result, its security is also based on the worst-case quantum hardness of GapSVP and SIVP. The new cryptosystem is much more efficient than previous lattice-based cryptosystems: the public key is of size (n 2) and encrypting a message increases its size by a factor of (n) (in previous cryptosystems these values are (n 4) and (n 2), respectively). In fact, under the assumption that all parties share a random bit string of length (n 2), the size of the public key can be reduced to (n).

AB - Our main result is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem. This learning problem is a natural extension of the learning from parity with error problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for GapSVP and SIVP. A main open question is whether this reduction can be made classical (i.e., nonquantum). We also present a (classical) public-key cryptosystem whose security is based on the hardness of the learning problem. By the main result, its security is also based on the worst-case quantum hardness of GapSVP and SIVP. The new cryptosystem is much more efficient than previous lattice-based cryptosystems: the public key is of size (n 2) and encrypting a message increases its size by a factor of (n) (in previous cryptosystems these values are (n 4) and (n 2), respectively). In fact, under the assumption that all parties share a random bit string of length (n 2), the size of the public key can be reduced to (n).

KW - Average-case hardness

KW - Cryptography

KW - Lattice

KW - Public key encryption

KW - Quantum computation

UR - http://www.scopus.com/inward/record.url?scp=70349309809&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70349309809&partnerID=8YFLogxK

U2 - 10.1145/1568318.1568324

DO - 10.1145/1568318.1568324

M3 - Article

VL - 56

JO - Journal of the ACM

JF - Journal of the ACM

SN - 0004-5411

IS - 6

M1 - 1568324

ER -